Securology

Monday, September 8, 2014

Just a quick thought in the absence of meaningful thoughts on here ...

When Target was breached at the end of 2013 (and every day since then), from the safety of their climate controlled armchairs, pundits have cast judgement on Target. "Target was negligent." Or maybe "Their PCI QSA wasn't thorough." Sentiments along those lines ...

Now, here comes The Home Depot's breach. Same malware. Same techniques. Quite possibly orders of magnitude higher in scope than Target (time will tell). The same ol' drums will beat from smart phones and tablets in living rooms everywhere.

The reality is ... It's very difficult. Difficult to get security "correct." And more difficult to keep it in that "correct" state over time. A single chink in the armor, so the ol' stitch goes ...

For the self-acclaimed pundits who throw rocks in glass houses, consider this:

Every single Level 1 merchant that has been breached has signed RoCs (Reports on Compliance) signed by both a third party and representatives of the credit card brands.

Now for the realistically jaded perspective: PCI is really just about transferring risk to merchants and away from the card brands. That's it. Does it work? Sure it does, since consumers are still using credit cards at merchants, and the economy hums along.

Wednesday, January 22, 2014

It's time to give the blog a little push. It's been 7 years with spurts of on again off again contributions all over the spectrum of security, from information security and privacy to physical security with smatterings of things like writing code and picking locks ... maybe even a theme of how politics can affect security policy decisions from time to time as well.

Here are some of the top computer/information/application/software security highlights, many of which are top Google search hits as well:

Friday, June 7, 2013

Sure, there are lots of random password generators out there, but how many of them are integrated with our very feature-rich open source code repository of tools that will help you to code against Active Directory, while also standing alone as a simple quick to use tool for a helpdesk?

Wednesday, June 5, 2013

If you are an organization of any size, chances are you have an Active Directory instance sitting around, and maybe some level of additional investment in Microsoft products beyond Windows on client machines and a couple servers. And the more investment you have, the more value you will get from having relevant data in your Active Directory. You may even have some developers on staff that write applications in C# or VB .NET. Chances are, though, your developers won't understand or even want to understand Active Directory.

They may, however, be able and willing to code to a few random source code examples that float around on the web, but most examples are not very feature complete. So it requires developers digging into the musty underbelly layers of Active Directory to learn how to get what they need. Few will dig.

You could purchase an API, but the licenses may be expensive, and you may only want to read or set a couple of attributes on a user or group object that nobody else seems to have documented how to do well enough to satisfy your developers.

Or you could just send your developers to the new Securology GitHub repository to pull down a fully-functional, open source, non-restrictively licensed API to include in their projects to get up and going.

Maybe you just dealt with a large scale AD migration and you need to peel back the layers and extract user or group SIDs (Security Identifiers) or validate that SIDs from previous domains on imported objects are properly stored in the SID History?

Maybe you have a basic interface with your HR system, but don't want to shell out tons of cash to purchase a metadirectory tool like Identity Lifecycle Manager to move HR data like manager/reporting relationships around, but could really benefit from having that data in your Exchange, SharePoint or other application environments.

Maybe you need to set the user's employee number from your HR system on each AD user to identify the authoritative data source to satisfy an Active Directory Audit.

Maybe you just want to read or write the AD user's address, telephone, or even IP Phone number.

Maybe you have a mixed environment that also contains Unix servers and you need to set Unix attributes on the IT Unix Admin user accounts for a Unix SSO to AD product that you're using.

Maybe you'd like a safer way to programmatically move or delete Active Directory objects?

Maybe you'd like an easier way to programmatically add or remove a user from an AD group? Or maybe check if they already are in that group?

Maybe you'd like to populate your AD with Contact objects for business partners who don't need user accounts in your domain or forest, but so that they'll still show up in the Global Address List (GAL)?

Maybe you need a way to programmatically create an Organizational Unit (OU)?

Maybe you'd like to toggle an AD group from "Security" to "Distribution" and back again? Or "domain local" to "universal"? Or dump all of its members? Or check if the AD group has no members? Or set the "owner" of the group for audit/management purposes?

Maybe you'd like to prune back old computer objects? Or build a report to show what Operating Systems are in your directory? Or safely move or delete computer objects?

Maybe you'd like a way to expose the True Last Logon time of a user account without manually checking each Domain Controller and comparing times? Or maybe you'd like a nice multi-threaded (and fast!) way of checking all Domain Controllers simultaneously?

Tuesday, June 4, 2013

In another IT Pro tip related to Active Directory, suppose an organization has an internal AD forest, but has a company policy that only paid personnel are to have accounts in that directory. That's a fairly rational policy:

If we pay you directly, then you're an employee, so you get an account

If we pay you indirectly, then you're a contractor that we've hired, so you can also get an account

If you pay us, whether directly as a consumer, retailer, or reseller, or indirectly as a consumer through a retailer or reseller, then you're a customer, so you probably should not have an account in our internal AD forest.

But suppose you have an application that needs to be built that will allow both employees/contractors, AND customers to access it, and you don't want to setup yet-another-provisioning process for granting and revoking access for employees and contractors?

Enter a common solution: Active Directory - Lightweight Directory Services (previously known as ADAM, AD Application Mode, a.k.a. an "application" directory). This is a lightweight, LDAP only directory with less bells and whistles than AD has, but many Microsoft-centric applications can plumb right into it.

But to achieve a true Single Sign On for the internal AD users, the IT Admin must create either a UserProxy or a UserProxyFull object in the AD-LDS. Both function nearly the same, but a UserProxyFull has additional schema data elements for storing additional contact data fields, which are generally handy for today's applications.

Under the hood, when an internal AD user connects to the application, an authentication request is passed to the AD-LDS, which looks up the UserID of the internal user, finds the User Proxy object, and then performs Kerberos authentication against the internal AD. All other attributes, though, from contact data fields, to the group memberships that the UserProxy has, are separate from the internal AD forest. In essence, nothing is automatically the same and it's yet-another-directory-to-manage.

Wouldn't it be nice if there was a way to build a service or application in C# .NET so that a configurable subsection of your organization's internal AD user community could automatically be provisioned and deprovisioned, complete with metadata updates, and maybe even rudimentary AD-LDS group memberships based on your AD data? Why yes, yes that would be very nice.

Wouldn't it be even nicer if the code was open source so we can take it, borrow it, and use it internally without a restrictive license? Why yes, yes that would be very nice, too.

Wouldn't be even nicer still if this article linked straight to that source code?

Monday, June 3, 2013

IT Administrators have certainly been in the tough scenario where a security policy mandates that passwords expire in X days, but there are constraints that make it really hard for the user account passwords to actually change. For example:

Dealing with service, application, or generic accounts and a strict constraint to not mark them as non-expiring (forever) passwords

Dealing with rarely active human users who suddenly need to (on-demand) authenticate against an application, such as HR benefits open enrollment for employees who are not "information workers" (don't access computers).

There are a couple tricks for dealing with this without causing interruption. Take note that these "tricks" may completely circumvent the letter and perhaps even the intent of the "policy". But even with astute auditors, the intent of using these tricks will likely never get noticed.

Or perhaps you are an auditor, and reading the details of these tricks will open up your mind to look for new events that signify lack of compliance.

Administrative Password Resets

If you know the password for the account in question, then simply perform a password reset with that password. If you have never thought to do this before, this may at first seem counter-intuitive: after all, resetting a password with a password history rule turned on by policy will cause the password to change, right?

Wrong. There are two ways an Active Directory password can change:

The user initiates a password change event, in which they are required to supply the current password in addition to a new password.

The administrator with permissions on the UserAccountControl attribute of the AD user object can perform an administrative reset.

A reset by an administrator must support changing the password when the user is locked out and does not know the password, therefore, the administrator is not required to know the current password.

Also, a reset by an administrator does not enforce password history. If it did, a rogue administrator could inadvertently learn the current password if the new password supplied by the administrator failed to reset due to password history requirements. Sure, they just reset the password and could impersonate the user anyway, but that may not be the point: that user's password might be the same on a different (non-Active Directory integrated) application.

So, if you know the current password, perform a RESET and the password last set date attribute on the user account in the directory will update, effectively hitting the snooze button.

A More Clever Trick

But what if you don't know the current password for the account?

In the scenario of a mostly-inactive end user community that suddenly need to hit an application (e.g. your company's HR system for annual benefits enrollment):

there may be too many users to learn their passwords

asking the user for their password is likely faux pas

the user may not even know the password anyway (since it's been a year), and

resetting a large collection of users passwords to a standard/default that everyone shares is insecure

and resetting individually unique passwords for an infrequent, on-demand access presents communication problems all of its own

So, what to do?

You could disable or extend password expiration. In Windows 2003 AD and earlier, this meant changing the policy for everybody, which may not be the intent at all. This is especially true if there are both active and inactive users in the directory, since active users will not get the normal "your password is about to expire" warning X days before it's too late. Reverting your password expiration policy setting back to the original value could result in a portion of your active users suddenly being locked out and calling for help. In Windows 2008 and later, you can have multiple expiration policies within a domain, but your user objects may not be grouped to distinguish the inactive users of concern. You could identify them and move them (and even script that step), but then you may have to move them back to many different OUs (Organizational Units) which could be just as much of a pain as the original problem.

Or you could follow this set of steps (which are scriptable!):

In Active Directory Users and Computers, locate the user with the expiring or expired password

Check the "force password change at next logon" box.

Click Apply.

Uncheck the "force password change at next logon" box.

Click Apply.

And VOILA! That user's password expiration has just been snoozed-- effectively reset for another iteration, and with zero knowledge of the current password. The password last set date will appear to be the moment you hit step 5.

How does this work?

Under the hood, the user attribute which stores the date/time when the password was last set is also dual purposed for the password must change flag. The value is a really large integer which contains the number of ticks of seconds as a representation of time. But when the force password change button is checked, the value of seconds of time is wiped out. "Empty" is how the flag is stored. The last date/time is wiped out. So, when the administrator unchecks the force password change checkbox, AD Users & Computers has to put SOMETHING in that attribute, because NOTHING appears like it is flagged for change. But the original value is gone forever! So what does it store there? The current date/time. Hence, the user appears to have had its password reset without any actual (visible) changes to the user.

This can all be scripted out using the dsquery and dsmod commands the Microsoft ships with Active Directory. PowerShell could also be used. Or, an astute C# (or VB) .Net developer could simply take a look at the Securology GitHub repository, to see the example Password Snooze Button console app, to incorporate it into your organization's existing user management applications and services.

For the Auditor

To detect if an organization that you are auditing has been using the first option (administrative password resets to snooze the expiration), look for:

Event log data for password resets of multiple accounts at roughly the same time, since this would likely be done "in mass" by the IT administrator

Service accounts that all have roughly the same password last set date and time. Manually resetting multiple passwords would have a period of time between each reset event, but a script would cause them all to be within a few seconds of each other

User accounts that have been in existence for longer than the password expiration policy's time out, but that have one or few historical passwords stored in the directory (requires a very low level AD editing tool to discover), while still being active (lots of log on events)

To detect if an organization has been using the second option (password must change flag), look for:

Lots of user accounts with nearly the same date/time value for the password last set attribute.

Lots of user accounts that have not logged in since their password was last set.

If event log data is available, look for lots events denoting the must change password flag was set or unset.

Even if long term historical event log data is available, the determined IT administrator could spread out these events to appear sporadic, random, or intentionally related to a user's call to a help desk. A determined administrator could both keep the lights on and keep auditors at arms' length without detection of a policy violation.

Monday, May 13, 2013

This is something we have wanted to do for some time and finally are now able! As our contributors find the time and freedom to contribute some of our intellectual property back to the greater community at large, we will add more repositories and content there.

Our first offering is a C# .NET wrapper that can do more to manage Microsoft Active Directory instances (including Active Directory Lightweight Directory Services, formerly known as ADAM, or Active Directory Application Mode) than any other open source project can do (which is why we wrote it in the first place). Our open source Active Directory Services repo is available here:https://github.com/Securology/ActiveDirectoryServices

Enable, set, and maintain Microsoft Exchange attributes to enable objects to become visible in the GAL (Global Address List), which also works for Microsoft's Exchange Online hosted service via DirSync.

Import various rooms and resources from a .CSV file into Active Directory and enable their visibility in the Exchange GAL.

Enable and Manage Office Communicator/Lync attributes to turn on/off access to your company's Lync/OCS server, setup default policies, including access to any internet-facing proxy servers as well as archive/logging per user.

Generate random passwords for users.

A nifty way of "snoozing" when a AD user's password expires while keeping the same password.

And much more...

Eventually, we will share a working Provisioning Web Service that will be a great solution for limited budget organizations that want some of the functionality Microsoft's Identity Lifecycle Manager (ILM) includes, without the heftier license cost and infrastructure requirements.

Here's a (slightly dry) walk through of how the lock is defeated using just a magnet, leaving no forensic evidence of unauthorized entry whatsoever:

One aspect of this story that will be interesting for computer security professionals is the element of "responsible disclosure" used by Tobias to attempt to force the hand of the manufacturer to fix the problem, followed by the manufacturer's all too familiar "there is no such problem" response (yet they did fix it).

One of the researchers, Marc Weber Tobias, has a variety of other very interesting (but dry) videos describing physical lock security and some of the particular products that are defeated. His YouTube channel is worth a review.

Friday, October 26, 2012

Anyone who pays any attention to DRM will extrapolate the general principle:

You can never prevent an end-user who has physical control of a device from breaking any DRM scheme you can invent.

Sony just learned their DRM lesson (again). I'm sure that people at Sony already know this principle, but some "suit" tells the engineers to "do something about the problem" so they implement a technical speed bump. That's all it is and will ever be.

Thursday, October 18, 2012

Wouldn't it be really scary if physical locks in large planned cities like NYC were designed to use skeleton keys-- master keys that are shared with do-gooder firefighters and locksmiths alike-- without ever thinking what could happen if such keys got into realm of the average Joe, whose do-gooder status was unknown? Yep it would.

Look but don't pay attention to key teeth details!

Wouldn't it be even scarier if those who cried "the sky is falling, the sky is falling" also were dumb enough to post high res photos of the skeleton keys on their websites (pictured left) so that anyone with access to key blanks and tools could easily measure and create their own skeleton key copies? Again, yes.

Saturday, October 6, 2012

It's very common for Hello World example apps in textbooks or other educational literature to promote insecure software building practices right out of the gate. What a breath of fresh air to see the Microsoft MVC folks safely HTML encoding (to avoid XSS) in their MVC4 Hello World application!

Friday, October 5, 2012

With the news containing stories of malware distributing via compromised Certificate Authorities, it makes sense that some IT Security blogs would address "what to do" if this happens to your CA. This blog post gets it wrong, though:

What would you do if you found out that the Certificate Authority
that provides Digital Certificates to your company was compromised, and
Microsoft was adding the Certificate Authority’s public key to Windows
un-trusted Root Store? Well if you have not got a contingency plan to
implement then I can presume you will be in a panic to purchase new
certificates from another Certificate Authority... It can take Certificate
Authority’s (CA’s) a few days to validate domain ownership and company
registration details... While all this is
happening your customers are getting a message from Internet Explorer
that your SSL certificate is not to be trusted.

What can you do?

Do not rely on one Certificate Authority for all of your certificates. You should have a relationship with at least two well known Certificate Authority’s and the CA’s should have validated all of your domains. This will let you quickly order Digital Certificates from the second CA without having to go through the company validation process...

If you cannot tolerate any downtime for a service you can take the extra step in which you create backup certificates for each service using your backup Certificate Authority. This will enable you to implement the backup certificates without having to contact the second CA and joining the queue of company’s looking for new certificates.

Keep in mind that the worst-case scenario described above would require the Root CA Certificate to be compromised. Most Root CAs are offline certs, meaning the computers that house them are not powered on except during special circumstances when new intermediate CA certificates are generated, OR, they are online in an "air gap" (disconnected from the internet) network accessible only via sneakernet. Exploiting an offline CA is a big deal, and if it occurs it won't be just your organization that is affected, but likely a large part of the entire internet.

So a much more plausible option:

The CA will just create a new intermediate CA cert
and re-issue client certs to all of its paying customers.

Acute angles on the corners of a building are added to the architectural design to eliminate "dead zones" in which an adversary could hide or take refuge. At the time of star shaped fortifications, all of the competing designs employed rounded towers or turrets at each corner, typically to house archers. As a breaching force approached the rounded corner, they were able to hide from the archers using the fortifications intended to be an asset in favor of the defenders.

Acute angles, however, prevented the breaching force from seeking shelter along the very walls intended to shelter the defenders. [See the illustration, below right.]

Modern applications against a well equipped modern adversary are very limited, since "air support" ruined traditional fort designs (adversaries can simply rain fire from above). However, against a low tech insurgency, the classic star design still prevails.

There are also applications for the acute corners in modern civil architecture.
For example, an HVT (High Value Target) person, such as a celebrity, bank CEO, or anyone else that might typically employ a Private Security Detail, these corners help to deter snatch-and-grab and similar attacks by simply limiting the avenues of approach. Col Jeff Cooper, famous for dealing with small arms fire, had a fascination with these acute angles to the extent that the term "Cooper Corners" was coined referring to this much older design.

In public civil architecture, there are obvious applications in places such as bank vaults, manufacturing facilities where the likelihood of espionage is high, and even public restrooms in semi-remote and semi-private, yet public places like city parks, where the likelihood of an after dark robbery or rape assault is high. In the case of the park (along with a well designed layout of lighting, landscaping, and shrubbery) the acute angles may be just the trick to eliminate lie-in-wait hiding places.

The next time you are tasked with securing a high value asset at a physical location, being familiar with the acute angles of the Medieval star fort might be the exact tool you need to pull out of your security toolbox.

Wednesday, September 26, 2012

Do you live in an area that is likely to have civil unrest and protests? Perhaps having a Press Pass may get you out of trouble. ITS Tactical ran an article on just how to do this.

An excerpt:

Protesting is About Attention!Use that to your advantage.
Protesters love the press. It can be a relatively simple proposition to
get a press pass that will get you through/past protests that completely
block traffic. Afterwards, ask them for a letter stating you have
written for them, etc.

Set up a blog using a free service like Blogger or WordPress.

Write an “About” page or article telling people that this blog is for covering local protests or demonstrations

Friday, September 21, 2012

Reconstruction

The reconstruction of sensitive documentation has been around as long as shredders have. According to a fantastic NY Time article
that everyone should read, reconstruction was first brought to light
during the 1979 US Embassy takeover in Tehran. The Iranians elicited the
help of local carpet weavers to reconstruct sensitive documents, which
were sold on the streets of Tehran as a testament to US imperialism.

Just know that with some time and even the help of computer programs like Unshredder, there isn’t much reassurance that your documents will stay shredded.

Document Burn Bag

ITS Tactical also sells "Burn Bags" for important documents (or shreddings from documents) at a reasonable price, just like the kind you'd find at government agencies or in the movies.

Thursday, September 20, 2012

Tuesday, September 11, 2012

Do you have a house/door key lock that you no longer want somebody to have the ability to unlock, but you don't have time to change the locks? Maybe you're a landlord? Or maybe you have some hidden purpose, such as forcing door traffic to a different entry to the building?

LockKill has a solution: a specialty key designed to slip in, bypass tumblers long enough to get all the way set, and then sheer off in place, destroying the lock. It only takes a few seconds.

Warning: the only real way of bringing that lock back from the dead is to replace it.